Dave Johnson
2004-Aug-25 22:14 UTC
[patch] sshd with re-exec disabled causes stdin to get closed.
I ran into a bug while testing 3.9p1. If you start sshd with -r (re-exec disabled), once the daemon is forked to handle a client, the child closes stdin by accident. This causes FD 0 to get re-used by the next open call which eventually you end up with a mess. In the perticual case I saw, the pty fd ended up on FD 0 was closed by do_exec_pty(), pty_make_controlling_tty() then opened a new ttyfd as 0, and do_exec_pty() duped it dup2(0,0), dup2(0,1), dup2(0,2), then called close(ttyfd); which closed 0! Patch against openssh-3.9p1 is attached. -- Dave
Damien Miller
2004-Aug-26 10:48 UTC
[patch] sshd with re-exec disabled causes stdin to get closed.
Dave Johnson wrote:> I ran into a bug while testing 3.9p1. > > If you start sshd with -r (re-exec disabled), once the daemon is > forked to handle a client, the child closes stdin by accident. > > This causes FD 0 to get re-used by the next open call which eventually > you end up with a mess. In the perticual case I saw, the pty fd > ended up on FD 0 was closed by do_exec_pty(), > pty_make_controlling_tty() then opened a new ttyfd as 0, and > do_exec_pty() duped it dup2(0,0), dup2(0,1), dup2(0,2), then called > close(ttyfd); which closed 0! > > Patch against openssh-3.9p1 is attached.Could you resend the patch or post it on a website (or bugzilla) - the mailing list server eats any attachments that aren't text/plain. -d
Dave Johnson
2004-Aug-26 12:25 UTC
[patch] sshd with re-exec disabled causes stdin to get closed.
Dave Johnson writes:> > I ran into a bug while testing 3.9p1. > > If you start sshd with -r (re-exec disabled), once the daemon is > forked to handle a client, the child closes stdin by accident. > > This causes FD 0 to get re-used by the next open call which eventually > you end up with a mess. In the perticual case I saw, the pty fd > ended up on FD 0 was closed by do_exec_pty(), > pty_make_controlling_tty() then opened a new ttyfd as 0, and > do_exec_pty() duped it dup2(0,0), dup2(0,1), dup2(0,2), then called > close(ttyfd); which closed 0! > > Patch against openssh-3.9p1 is attached.Patch is now also at: http://centerclick.org/reexec.patch -- Dave